PeerTube icon indicating copy to clipboard operation
PeerTube copied to clipboard
verified publisher icon Chocobozzz

Can't get user token when using external auth

Open SteelAlloy opened this issue 1 year ago • 7 comments

Describe the current behavior

To retrieve a token that can be used via the api, you need to go through the endpoint api/v1/users/token according to the documentation.

However, when you change the authentication mode to something other than local auth, e.g. peertube-plugin-auth-openid-connect, this no longer works.

And as this endpoint requires a password, I don't see how to proceed

Steps to reproduce

  1. Create a user, set password manually or via the API
  2. Change auth plugin for this user
  3. Try to get a user API token

Describe the expected behavior

Two solutions :

  • The password method works when a password is set via the API
  • Another endpoint to create user token for external auth plugins

Additional information

  • PeerTube instance:

    • URL:
    • Version: 6.0.2
    • NodeJS version:
    • Ffmpeg version:

  • Browser name, version and platforms on which you could reproduce the bug:

  • Link to browser console log if relevant:

  • Link to server log if relevant (journalctl or /var/www/peertube/storage/logs/):

SteelAlloy avatar Mar 07 '24 17:03 SteelAlloy

Can you describe the command/HTTP call that doesn't work? /api/v1/oauth-clients/local is not related to user and do not require a password

Chocobozzz avatar Mar 08 '24 13:03 Chocobozzz

Wrong endpoint, I was talking about api/v1/users/token

(edited description accordingly)

SteelAlloy avatar Mar 08 '24 14:03 SteelAlloy

Users with external auth plugin that uses classic username/password (like LDAP) can use the classic api/v1/users/token endpoint.

But remote external auth plugins (like openid-connect or saml) requires the user to authenticate on their own web page. After a successful authentication, the remote auth platform redirects the user on your PeerTube instance login page with a externalAuthToken query param, used by the PeerTube client that sends it to the server.

Can you detail your use case?

Chocobozzz avatar Mar 08 '24 14:03 Chocobozzz

I'm writing a script for my university to facilitate mass video upload. Those videos are uploaded to one channel only, so i could switch the auth plugin for this user each time I run the script, but this is not ideal

SteelAlloy avatar Mar 08 '24 15:03 SteelAlloy

We have to implement https://tools.ietf.org/html/rfc8628 in openid peertube plugin.

Then provide a way for external auth plugins to declare an authentication method that doesn't use PeerTube client.

Chocobozzz avatar Mar 15 '24 15:03 Chocobozzz